Status/Resolution/Reason: To Fix//BugVerified
Reporter/Name(from Bugbase): Bernhard D. / ()
Created: 08/13/2019
Components: General Server, Security
Versions: 2018
Failure Type: Incorrectly functioning
Found In Build/Fixed In Build: 2018.0.4+314546 /
Priority/Frequency: Normal / Few users will encounter
Locale/System: / Win 2012 Server x64
Vote Count: 0
Problem Description:
Converting strings between HTML-encoding and JavaScript-encoding does not work even if canonicalize parameter is set to true.
ColdFusion currently comes with esapi-2.1.0.jar
According to my tests this was an issue in the esapi jar and is fixed in the most recent version esapi-2.2.0.0.jar
I was working with legacy code and replaced all occurrences of HTMLEditFormat with EncodeForHTML and JSStringFormat with EncodeForJavaScript.
This led to double encodings which I wanted to correct by setting the second parameter to true.
This resulted in the word starting with the lower case ü instead of an upper case Ü
Steps to Reproduce:
I have a word that starts with "LATIN CAPITAL LETTER U WITH DIAERESIS" - Ü
This word is converted to HTML encoding using the esapi function EncodeForHTML. Then, it is encoded for a second time using EncodeForJavaScript.
<cfset strGermanWord = "Überraschung">
<cfset strHTMLEncoded = EncodeForHTML( strGermanWord )>
<cfset strJSEncodedOrig = EncodeForJavaScript( strGermanWord )>
<cfset strJSEncoded = EncodeForJavaScript( strHTMLEncoded, true )>
<cfoutput>#strJSEncodedOrig#</cfoutput>
<cfoutput>#strJSEncoded#</cfoutput>
Actual Result:
\xDCberraschung\xFCberraschung
"\xDC" is upper case; "\xFC" is lower case
Expected Result:
\xDCberraschung\xDCberraschung
Any Workarounds:
No workaround :(
ColdFusion 2016 also uses that old esapi library.Attachments:
Comments: